937ec0724b990640c54dbf62129aaca4ca37eac1a222ea35bf76f808eec5c6e8

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f89b53e35257d_JC.exe
Size

168KB
MD5

7f89b53e35257d21f4ef7cac5a9f6d18
SHA1

129499d78cf3dc08f9488d24cd3dac5068cdc30a
SHA256

937ec0724b990640c54dbf62129aaca4ca37eac1a222ea35bf76f808eec5c6e8
SHA512

565c00a05498d651fef1412a2fca7a8ce7a2812527d95e1ed1f8ee9095660c602c852e29be6995c0984efcb8601ca02516f96a80ab53d9f6583f888ec4dfa382
SSDEEP

1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}\stubpath = "C:\\Windows\\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe"	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60E62687-31F8-47fc-80B3-A70B4C812879}\stubpath = "C:\\Windows\\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe"	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A091F67-F0CA-46fa-B16F-49365944AF60}	{60E62687-31F8-47fc-80B3-A70B4C812879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}\stubpath = "C:\\Windows\\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe"	{E4D83D50-2921-480b-B249-057B0417FACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}\stubpath = "C:\\Windows\\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe"	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}\stubpath = "C:\\Windows\\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe"	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}\stubpath = "C:\\Windows\\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe"	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}\stubpath = "C:\\Windows\\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe"	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}\stubpath = "C:\\Windows\\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe"	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D83D50-2921-480b-B249-057B0417FACA}	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}	{E4D83D50-2921-480b-B249-057B0417FACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A091F67-F0CA-46fa-B16F-49365944AF60}\stubpath = "C:\\Windows\\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe"	{60E62687-31F8-47fc-80B3-A70B4C812879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}	7f89b53e35257d_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA12525-2D5B-4d46-B319-56648E06216C}\stubpath = "C:\\Windows\\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe"	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D83D50-2921-480b-B249-057B0417FACA}\stubpath = "C:\\Windows\\{E4D83D50-2921-480b-B249-057B0417FACA}.exe"	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60E62687-31F8-47fc-80B3-A70B4C812879}	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}\stubpath = "C:\\Windows\\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe"	7f89b53e35257d_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA12525-2D5B-4d46-B319-56648E06216C}	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe

Executes dropped EXE 12 IoCs

pid	Process
4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe
5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
2172	{60E62687-31F8-47fc-80B3-A70B4C812879}.exe
4580	{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	7f89b53e35257d_JC.exe
File created	C:\Windows\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
File created	C:\Windows\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
File created	C:\Windows\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
File created	C:\Windows\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
File created	C:\Windows\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	{E4D83D50-2921-480b-B249-057B0417FACA}.exe
File created	C:\Windows\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
File created	C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
File created	C:\Windows\{E4D83D50-2921-480b-B249-057B0417FACA}.exe	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
File created	C:\Windows\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
File created	C:\Windows\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
File created	C:\Windows\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe	{60E62687-31F8-47fc-80B3-A70B4C812879}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4352	7f89b53e35257d_JC.exe
Token: SeIncBasePriorityPrivilege	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
Token: SeIncBasePriorityPrivilege	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
Token: SeIncBasePriorityPrivilege	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
Token: SeIncBasePriorityPrivilege	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
Token: SeIncBasePriorityPrivilege	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
Token: SeIncBasePriorityPrivilege	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
Token: SeIncBasePriorityPrivilege	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe
Token: SeIncBasePriorityPrivilege	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
Token: SeIncBasePriorityPrivilege	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
Token: SeIncBasePriorityPrivilege	3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
Token: SeIncBasePriorityPrivilege	2172	{60E62687-31F8-47fc-80B3-A70B4C812879}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4344	4352	7f89b53e35257d_JC.exe	93
PID 4352 wrote to memory of 4344	4352	7f89b53e35257d_JC.exe	93
PID 4352 wrote to memory of 4344	4352	7f89b53e35257d_JC.exe	93
PID 4352 wrote to memory of 3224	4352	7f89b53e35257d_JC.exe	94
PID 4352 wrote to memory of 3224	4352	7f89b53e35257d_JC.exe	94
PID 4352 wrote to memory of 3224	4352	7f89b53e35257d_JC.exe	94
PID 4344 wrote to memory of 4232	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	99
PID 4344 wrote to memory of 4232	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	99
PID 4344 wrote to memory of 4232	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	99
PID 4344 wrote to memory of 4228	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	98
PID 4344 wrote to memory of 4228	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	98
PID 4344 wrote to memory of 4228	4344	{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe	98
PID 4232 wrote to memory of 3500	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	101
PID 4232 wrote to memory of 3500	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	101
PID 4232 wrote to memory of 3500	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	101
PID 4232 wrote to memory of 2684	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	102
PID 4232 wrote to memory of 2684	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	102
PID 4232 wrote to memory of 2684	4232	{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe	102
PID 3500 wrote to memory of 2140	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	103
PID 3500 wrote to memory of 2140	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	103
PID 3500 wrote to memory of 2140	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	103
PID 3500 wrote to memory of 1656	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	104
PID 3500 wrote to memory of 1656	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	104
PID 3500 wrote to memory of 1656	3500	{FDA12525-2D5B-4d46-B319-56648E06216C}.exe	104
PID 2140 wrote to memory of 5032	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	105
PID 2140 wrote to memory of 5032	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	105
PID 2140 wrote to memory of 5032	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	105
PID 2140 wrote to memory of 3588	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	106
PID 2140 wrote to memory of 3588	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	106
PID 2140 wrote to memory of 3588	2140	{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe	106
PID 5032 wrote to memory of 1436	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	107
PID 5032 wrote to memory of 1436	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	107
PID 5032 wrote to memory of 1436	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	107
PID 5032 wrote to memory of 3656	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	108
PID 5032 wrote to memory of 3656	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	108
PID 5032 wrote to memory of 3656	5032	{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe	108
PID 1436 wrote to memory of 452	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	109
PID 1436 wrote to memory of 452	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	109
PID 1436 wrote to memory of 452	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	109
PID 1436 wrote to memory of 1652	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	110
PID 1436 wrote to memory of 1652	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	110
PID 1436 wrote to memory of 1652	1436	{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe	110
PID 452 wrote to memory of 5052	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	111
PID 452 wrote to memory of 5052	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	111
PID 452 wrote to memory of 5052	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	111
PID 452 wrote to memory of 5092	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	112
PID 452 wrote to memory of 5092	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	112
PID 452 wrote to memory of 5092	452	{E4D83D50-2921-480b-B249-057B0417FACA}.exe	112
PID 5052 wrote to memory of 5028	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	113
PID 5052 wrote to memory of 5028	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	113
PID 5052 wrote to memory of 5028	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	113
PID 5052 wrote to memory of 5060	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	114
PID 5052 wrote to memory of 5060	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	114
PID 5052 wrote to memory of 5060	5052	{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe	114
PID 5028 wrote to memory of 3512	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	116
PID 5028 wrote to memory of 3512	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	116
PID 5028 wrote to memory of 3512	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	116
PID 5028 wrote to memory of 4496	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	115
PID 5028 wrote to memory of 4496	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	115
PID 5028 wrote to memory of 4496	5028	{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe	115
PID 3512 wrote to memory of 2172	3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe	117
PID 3512 wrote to memory of 2172	3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe	117
PID 3512 wrote to memory of 2172	3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe	117
PID 3512 wrote to memory of 1972	3512	{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe	118

C:\Users\Admin\AppData\Local\Temp\7f89b53e35257d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7f89b53e35257d_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
  C:\Windows\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{965D7~1.EXE > nul
    3⤵
    PID:4228
- - C:\Windows\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
    C:\Windows\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
      C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
        
        C:\Windows\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
        
        C:\Windows\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
        
        C:\Windows\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{E4D83D50-2921-480b-B249-057B0417FACA}.exe
        
        C:\Windows\{E4D83D50-2921-480b-B249-057B0417FACA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
        
        C:\Windows\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
        
        C:\Windows\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54C83~1.EXE > nul
        11⤵
        
        PID:4496
        
        C:\Windows\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
        
        C:\Windows\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe
        
        C:\Windows\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe
        
        C:\Windows\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe
        13⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60E62~1.EXE > nul
        13⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F52F~1.EXE > nul
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51D7C~1.EXE > nul
        10⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D83~1.EXE > nul
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E9F8~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D06F1~1.EXE > nul
        7⤵
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDC30~1.EXE > nul
        6⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA12~1.EXE > nul
        5⤵
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B70~1.EXE > nul
      4⤵
      PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F89B5~1.EXE > nul
  2⤵
  PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe

Filesize
168KB

MD5
2a550ef39afbe4cecaca1e0f830660f5

SHA1
f8d1d11bbfda1b5a543b00bb6c3db68e0af377e1

SHA256
e61fe31aa7dbb6c3e9e4a16e3688a6b1c3cbff33b3f5dd3207a2874e6eb2d2ea

SHA512
c0694b2e125c9553e37a24d424001de574ef48937b08b0e2e433374f72b68914f5561294bf50521f4f0c3735747c11d24c6196c1ac0e06279a45c3a7ba76767a

Download Submit
C:\Windows\{0F52FC19-969C-4d2b-80AC-5EB0868ADE8D}.exe

Filesize
168KB

MD5
2a550ef39afbe4cecaca1e0f830660f5

SHA1
f8d1d11bbfda1b5a543b00bb6c3db68e0af377e1

SHA256
e61fe31aa7dbb6c3e9e4a16e3688a6b1c3cbff33b3f5dd3207a2874e6eb2d2ea

SHA512
c0694b2e125c9553e37a24d424001de574ef48937b08b0e2e433374f72b68914f5561294bf50521f4f0c3735747c11d24c6196c1ac0e06279a45c3a7ba76767a

Download Submit
C:\Windows\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe

Filesize
168KB

MD5
330ac9bf7201eed05a96789988891c77

SHA1
37557df9ba3bd537982cf534aabc9a17e4322027

SHA256
d0538a9714c1f81e08cd7cd1b41510fd66731a69a94d51ab9c685c863e0a8ef5

SHA512
9aa7fb80f3316739c53232d050de0c57199eea5c20e4e3e8c4d81fad3422d0714cb1acd2d4c11649ed99bc8d7b19d06777926e9a884674e5810fc963f57c460a

Download Submit
C:\Windows\{4A091F67-F0CA-46fa-B16F-49365944AF60}.exe

Filesize
168KB

MD5
330ac9bf7201eed05a96789988891c77

SHA1
37557df9ba3bd537982cf534aabc9a17e4322027

SHA256
d0538a9714c1f81e08cd7cd1b41510fd66731a69a94d51ab9c685c863e0a8ef5

SHA512
9aa7fb80f3316739c53232d050de0c57199eea5c20e4e3e8c4d81fad3422d0714cb1acd2d4c11649ed99bc8d7b19d06777926e9a884674e5810fc963f57c460a

Download Submit
C:\Windows\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe

Filesize
168KB

MD5
75b9cab95792f5203d20eb2700d606e8

SHA1
053392c3d8d39f86044f3e6991d9f35932b881be

SHA256
b13949b2150ccad8629c27f5e7f3d32817b130b257df1789da8700fa83cc8895

SHA512
a64bc625fb70ee2aed6e01d5df51904d8fad223959569b74772a7e309df6cd1953484ee509006089735c90fe7614776706d083a2da86a29033dc7ff10adce680

Download Submit
C:\Windows\{51D7CE06-F8C2-45a5-81C0-5E7EB1897222}.exe

Filesize
168KB

MD5
75b9cab95792f5203d20eb2700d606e8

SHA1
053392c3d8d39f86044f3e6991d9f35932b881be

SHA256
b13949b2150ccad8629c27f5e7f3d32817b130b257df1789da8700fa83cc8895

SHA512
a64bc625fb70ee2aed6e01d5df51904d8fad223959569b74772a7e309df6cd1953484ee509006089735c90fe7614776706d083a2da86a29033dc7ff10adce680

Download Submit
C:\Windows\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe

Filesize
168KB

MD5
fe2bdee9a4db5c1ff4edf3da285d4312

SHA1
bd2c4a021495e9a4909a91dc27b2aeb8933d2909

SHA256
3cc45d982c32a0776c986965f411c7c51548897ef59f3a7600abc6b2592a7b54

SHA512
a25df876a4b19cb6fdbd03742091adbf3cad2806270ae85e4a295e5e1133610a5eb5df99e940821c0f18a2636c8332e3e57976bf1fca236fe80d154711af8cdc

Download Submit
C:\Windows\{54C837BF-09C3-4c55-BF0C-8C58DF5D0EF4}.exe

Filesize
168KB

MD5
fe2bdee9a4db5c1ff4edf3da285d4312

SHA1
bd2c4a021495e9a4909a91dc27b2aeb8933d2909

SHA256
3cc45d982c32a0776c986965f411c7c51548897ef59f3a7600abc6b2592a7b54

SHA512
a25df876a4b19cb6fdbd03742091adbf3cad2806270ae85e4a295e5e1133610a5eb5df99e940821c0f18a2636c8332e3e57976bf1fca236fe80d154711af8cdc

Download Submit
C:\Windows\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe

Filesize
168KB

MD5
58379239da4a88f993150578b75c7ba3

SHA1
e4b826fe7ef3f4d70dff8695273fc3d64b18f11a

SHA256
15131ffe2db7f59d8068d8cf4380b9f8929f3271e47db215bb5cabef27045a30

SHA512
e7c48e621de018889f6a04241ec8d2004188ac86fa39a292ef6c0b6bf57cbd8a772ffe7d62a39610afc7bdede661e89931dd8cc460a7335b1b462d4b5f1bf888

Download Submit
C:\Windows\{60E62687-31F8-47fc-80B3-A70B4C812879}.exe

Filesize
168KB

MD5
58379239da4a88f993150578b75c7ba3

SHA1
e4b826fe7ef3f4d70dff8695273fc3d64b18f11a

SHA256
15131ffe2db7f59d8068d8cf4380b9f8929f3271e47db215bb5cabef27045a30

SHA512
e7c48e621de018889f6a04241ec8d2004188ac86fa39a292ef6c0b6bf57cbd8a772ffe7d62a39610afc7bdede661e89931dd8cc460a7335b1b462d4b5f1bf888

Download Submit
C:\Windows\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe

Filesize
168KB

MD5
7631e1b101a05461efb5f839d2b8a05e

SHA1
bb89a9485b64994241f6f98136bf7f96237a4185

SHA256
a7aa925124f9121db5df1ddbf91ed12a053c1ba2aa9cc7405d3655a8a0690f39

SHA512
0b2746a712491b84d7c9bd45a69489130e296b2a5cb483f4fce2c394770e7146b23394d004c373f068889f53f4026fedccef75a4484cf0e2e05858ea823d1c88

Download Submit
C:\Windows\{7E9F87D8-4E6D-4c8c-A389-C839FBEF31D1}.exe

Filesize
168KB

MD5
7631e1b101a05461efb5f839d2b8a05e

SHA1
bb89a9485b64994241f6f98136bf7f96237a4185

SHA256
a7aa925124f9121db5df1ddbf91ed12a053c1ba2aa9cc7405d3655a8a0690f39

SHA512
0b2746a712491b84d7c9bd45a69489130e296b2a5cb483f4fce2c394770e7146b23394d004c373f068889f53f4026fedccef75a4484cf0e2e05858ea823d1c88

Download Submit
C:\Windows\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe

Filesize
168KB

MD5
8015d19c429e742a901b84733dbe376e

SHA1
a753b28fc6affc0b5d5d07c497d74656ee648009

SHA256
97a76e1311caea16d07f5207f963aadb682cf45cdfdf41a83535e0ae8a5fdb08

SHA512
dc2e2aa09870395ef5206adc7d1ca1a981df65fea0bfaa7508e100f720b38565ad9880cf82d41302f7f94b24c281b5ff38679c925ce5076bce169863a9313452

Download Submit
C:\Windows\{965D7E4E-34DA-4dfb-B1F6-E1A408F0CFD3}.exe

Filesize
168KB

MD5
8015d19c429e742a901b84733dbe376e

SHA1
a753b28fc6affc0b5d5d07c497d74656ee648009

SHA256
97a76e1311caea16d07f5207f963aadb682cf45cdfdf41a83535e0ae8a5fdb08

SHA512
dc2e2aa09870395ef5206adc7d1ca1a981df65fea0bfaa7508e100f720b38565ad9880cf82d41302f7f94b24c281b5ff38679c925ce5076bce169863a9313452

Download Submit
C:\Windows\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe

Filesize
168KB

MD5
c0b3c3448b8d8cc18b7429c086d9a65f

SHA1
4d494d5ba611ed4e69e6bfb8ad1f1d868a6dcbea

SHA256
42e9d873565022bffd7369c9e04a2efed5e32c5d5af709e56891ae854a5bd85c

SHA512
80b98a0d09b870994a6e13beee03f4cbc93da0035f6f1971c0b9d07de65f5d4e6971ae2855d500d9c2686233266959bf9abe9d576b1952c5219beee8e9400341

Download Submit
C:\Windows\{A7B70C18-EF49-4e83-AA4F-099A7BC66008}.exe

Filesize
168KB

MD5
c0b3c3448b8d8cc18b7429c086d9a65f

SHA1
4d494d5ba611ed4e69e6bfb8ad1f1d868a6dcbea

SHA256
42e9d873565022bffd7369c9e04a2efed5e32c5d5af709e56891ae854a5bd85c

SHA512
80b98a0d09b870994a6e13beee03f4cbc93da0035f6f1971c0b9d07de65f5d4e6971ae2855d500d9c2686233266959bf9abe9d576b1952c5219beee8e9400341

Download Submit
C:\Windows\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe

Filesize
168KB

MD5
ed97a53ca20c6b2f6f423c1f30fc7e75

SHA1
85c3c3daf62eb5e5be41886ecccb3faee6c8fec8

SHA256
a2dc07b7672c73e0cf4ee10b43f511c5ee3fcf3989698dae1fc518c652919caf

SHA512
064a5369f05a4d1dd748e8d07d26342bfac0a9da1d87a7cef6f06c3e87ab8c2b970cb08d3ac049796733cac998d4a56948f4fcf1d2109ee2d14db4692d3ce193

Download Submit
C:\Windows\{BDC30167-93FB-4e09-9733-CD1A00C2D6D4}.exe

Filesize
168KB

MD5
ed97a53ca20c6b2f6f423c1f30fc7e75

SHA1
85c3c3daf62eb5e5be41886ecccb3faee6c8fec8

SHA256
a2dc07b7672c73e0cf4ee10b43f511c5ee3fcf3989698dae1fc518c652919caf

SHA512
064a5369f05a4d1dd748e8d07d26342bfac0a9da1d87a7cef6f06c3e87ab8c2b970cb08d3ac049796733cac998d4a56948f4fcf1d2109ee2d14db4692d3ce193

Download Submit
C:\Windows\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe

Filesize
168KB

MD5
ce9b2145fb9e1dccb9e825ed0fd87eae

SHA1
0fb6a9e5aa03e7ae9cb316f329a683c8913016f1

SHA256
d10b43be8195ff4e00904a264aa32277c064dad29feb17e01b0909e6b6408f11

SHA512
51ac5bb9f72db9438fdd533c1d1cba9afd46bec48d6284aa1b70cdf3eca715d4351d7c20b11f353740dc0012180da074bd9dae90f4f97d179e02b628ab7b8011

Download Submit
C:\Windows\{D06F1A60-4E8E-4402-B5D3-ADDA859443D3}.exe

Filesize
168KB

MD5
ce9b2145fb9e1dccb9e825ed0fd87eae

SHA1
0fb6a9e5aa03e7ae9cb316f329a683c8913016f1

SHA256
d10b43be8195ff4e00904a264aa32277c064dad29feb17e01b0909e6b6408f11

SHA512
51ac5bb9f72db9438fdd533c1d1cba9afd46bec48d6284aa1b70cdf3eca715d4351d7c20b11f353740dc0012180da074bd9dae90f4f97d179e02b628ab7b8011

Download Submit
C:\Windows\{E4D83D50-2921-480b-B249-057B0417FACA}.exe

Filesize
168KB

MD5
fed4b733d2f9d6fa112dab9fea5d9926

SHA1
89134c2b7aaecbb17ef9fdbbf1c708d05810324d

SHA256
191c8eb29d8e5264451b2ef9402b060da5dbc95bf31b945e5d26e7661f0c14c5

SHA512
2fa95264994977d6f2091c55188018687b7c9508152d5bfa362d6f39669c5172f407b694797a1567a6b48e83a24f71d5b0327888c60b9255a63a5ca5e1338236

Download Submit
C:\Windows\{E4D83D50-2921-480b-B249-057B0417FACA}.exe

Filesize
168KB

MD5
fed4b733d2f9d6fa112dab9fea5d9926

SHA1
89134c2b7aaecbb17ef9fdbbf1c708d05810324d

SHA256
191c8eb29d8e5264451b2ef9402b060da5dbc95bf31b945e5d26e7661f0c14c5

SHA512
2fa95264994977d6f2091c55188018687b7c9508152d5bfa362d6f39669c5172f407b694797a1567a6b48e83a24f71d5b0327888c60b9255a63a5ca5e1338236

Download Submit
C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe

Filesize
168KB

MD5
6ab9eb7f5b888523d361a24c8865862c

SHA1
94c4c93c731d207e44aa2fbdef2a83a7b54eb284

SHA256
3df4c99c2c883cbb9ef85b11d80daf91800d29a6c14c123a1d7f56c806cb727b

SHA512
d535883640eec716e3f0c83cb4978468f044ef8dd4f5ef4c4f20bd7bda3175a46e860ae1935259e546aef70f054a09b39c2a3d1ba5bae91b11fd778fca5e7136

Download Submit
C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe

Filesize
168KB

MD5
6ab9eb7f5b888523d361a24c8865862c

SHA1
94c4c93c731d207e44aa2fbdef2a83a7b54eb284

SHA256
3df4c99c2c883cbb9ef85b11d80daf91800d29a6c14c123a1d7f56c806cb727b

SHA512
d535883640eec716e3f0c83cb4978468f044ef8dd4f5ef4c4f20bd7bda3175a46e860ae1935259e546aef70f054a09b39c2a3d1ba5bae91b11fd778fca5e7136

Download Submit
C:\Windows\{FDA12525-2D5B-4d46-B319-56648E06216C}.exe

Filesize
168KB

MD5
6ab9eb7f5b888523d361a24c8865862c

SHA1
94c4c93c731d207e44aa2fbdef2a83a7b54eb284

SHA256
3df4c99c2c883cbb9ef85b11d80daf91800d29a6c14c123a1d7f56c806cb727b

SHA512
d535883640eec716e3f0c83cb4978468f044ef8dd4f5ef4c4f20bd7bda3175a46e860ae1935259e546aef70f054a09b39c2a3d1ba5bae91b11fd778fca5e7136

Download Submit